Data Security and Protection Overview

Lawfulness of Processing

The GDPR outlines clear and lawful grounds for processing personal data, meaning that processing data is only lawful should one or more of these grounds apply.

1 - Consent

Clear and unambiguous action given by an informed individual. When collecting consent it must be clear to the individual that they are giving consent. Confusing methods of ‘consent’ are not lawful.

2- Compliance

Data processing may be necessary due to a legal obligation. If Data is needed in order to comply with a legal obligation its lawful bases would be compliance. E.g. retention of financial information.

3- Public Interests

Necessary for the performance of a task carried out in public interest. For Example a humanitarian disaster, this is reserved for the exercise of official authority.

4- Vital Interests

Necessary in order to protect vital interests of the data subjects. This refers to life or death and is used for medical reasons.

5- Contract Performance

Necessary in order or enter into or perform a contract with the data subject. For Example providing goods or services between the provider and consumer or between an employer and employee.

6- Legitimate interest

Data processing is necessary for purposes of legitimate interests. If this route is chosen it must not impact on the rights or freedoms of the data subject.

When considering lawful grounds of processing data you should remember that the responsibility of proving each route lies with the controller (person processing the data). Neither the data subject or the regulator have responsibility to prove anything. 

Your default thinking should be that all data processing is unlawful until proved to be otherwise.